Debugger disassembly while executing EXE(Windows)
Debugger disassembly while executing EXE(Windows)
Below is my dissasembler while execution of a windows 32 bit application.... Excellent source code for those writing a debugger in purebasic..... please give me feedback on what you think of it.......
Last edited by goldbaby on Fri Oct 01, 2010 4:36 pm, edited 1 time in total.
Re: Debugger disassembly while executing EXE(windows)
Hereis cleaned up code far better functioning version of the dis assembler debugger program
Code: Select all
Global ph
Global SysInfo.SYSTEM_INFO
Structure LV_HITTESTINFOEX
Pt.POINT
Flags.l
iItem.l
iSubItem.l
iGroup.l
EndStructure
#NbProcessesMax = 10000
Structure REX_Struct
W_.b
R_.b
X_.b
B_.b
state.b
EndStructure
Global Rex_Struct.REX_Struct
Structure PREFIXINFO
Number.l
NbUndefined.l
LockPrefix.b
OperandSize.b
AddressSize.b
RepnePrefix.b
RepPrefix.b
FSPrefix.b
SSPrefix.b
GSPrefix.b
ESPrefix.b
CSPrefix.b
DSPrefix.b
BranchTaken.b
BranchNotTaken.b
REX.REX_Struct
EndStructure
Global Prefixinfo.PREFIXINFO
Structure EFLStruct
OF_.b ;(bit 11)
SF_.b ;(bit 7)
ZF_.b ;(bit 6)
AF_.b ;(bit 4)
PF_.b ;(bit 2)
CF_.b ;(bit 0)
TF_.b ;(bit 8)
IF_.b ;(bit 9)
DF_.b ;(bit 10)
NT_.b ;(bit 14)
RF_.b ;(bit 16)
AL_.b ;alignment
EndStructure
Global Eflstruct.EFLStruct
Structure MEMORYTYPE
BaseRegister.l
IndexRegister.l
Scale.l
Displacement.q
EndStructure
Global Memorytype.MEMORYTYPE
Structure INSTRTYPE
Category.l
Opcode.l
Mnemonic.b[16]
BranchType.l
Flags.EFLStruct
AddrValue.q
Immediat.q
ImplicitModifiedRegs.l
EndStructure
Global Instrtype.INSTRTYPE
Structure ARGTYPE
ArgMnemonic.b[32]
ArgType.l
ArgSize.l
AccessMode.l
Memory.MEMORYTYPE
SegmentReg.l
EndStructure
Global Argtype.ARGTYPE
Structure _Disasm
EIP.l
VirtualAddr.q
SecurityBlock.l
CompleteInstr.b[64]
Archi.l
Options.l
Instruction.INSTRTYPE
Argument1.ARGTYPE
Argument2.ARGTYPE
Argument3.ARGTYPE
Prefix.PREFIXINFO
Reserved_.l[40]
EndStructure
Global MyDisasm._Disasm
#ESReg = 1
#DSReg = 2
#FSReg = 3
#GSReg = 4
#CSReg = 5
#SSReg = 6
; ********** Prefixes
#InvalidPrefix = 4
#InUsePrefix = 1
#SuperfluousPrefix = 2
#NotUsedPrefix = 0
#MandatoryPrefix = 8
; ********** EFLAGS states
#TE_ = 1 ;test
#MO_ = 2 ;modify
#RE_ = 4 ;reset
#SE_ = 8 ;set
#UN_ = 16 ;undefined
#PR_ = 32 ;restore prior value
; __________________________________________________________________________________________________________
;
; INSTRUCTION_TYPE
; __________________________________________________________________________________________________________
#GENERAL_PURPOSE_INSTRUCTION = $00010000
#FPU_INSTRUCTION = $00020000
#MMX_INSTRUCTION = $00040000
#SSE_INSTRUCTION = $00080000
#SSE2_INSTRUCTION = $00100000
#SSE3_INSTRUCTION = $00200000
#SSSE3_INSTRUCTION = $00400000
#SSE41_INSTRUCTION = $00800000
#SSE42_INSTRUCTION = $01000000
#SYSTEM_INSTRUCTION = $02000000
#VM_INSTRUCTION = $04000000
UNDOCUMENTED_INSTRUCTION = $08000000
AMD_INSTRUCTION = $10000000
ILLEGAL_INSTRUCTION = $20000000
AES_INSTRUCTION = $40000000
CLMUL_INSTRUCTION = $80000000
#DATA_TRANSFER = 1
#ARITHMETIC_INSTRUCTION = 2
#LOGICAL_INSTRUCTION = 3
#SHIFT_ROTATE = 4
#BIT_BYTE = 5
#CONTROL_TRANSFER = 6
#STRING_INSTRUCTION = 7
#InOutINSTRUCTION = 8
#ENTER_LEAVE_INSTRUCTION = 9
#FLAG_CONTROL_INSTRUCTION = 10
#SEGMENT_REGISTER = 11
#MISCELLANEOUS_INSTRUCTION = 12
#COMPARISON_INSTRUCTION = 13
#LOGARITHMIC_INSTRUCTION = 14
#TRIGONOMETRIC_INSTRUCTION = 15
#UNSUPPORTED_INSTRUCTION = 16
#LOAD_CONSTANTS = 17
#FPUCONTROL = 18
#STATE_MANAGEMENT = 19
#CONVERSION_INSTRUCTION = 20
#SHUFFLE_UNPACK = 21
#PACKED_SINGLE_PRECISION = 22
#SIMD128bits = 23
#SIMD64bits = 24
#CACHEABILITY_CONTROL = 25
#FP_INTEGER_CONVERSION = 26
#SPECIALIZED_128bits = 27
#SIMD_FP_PACKED = 28
#SIMD_FP_HORIZONTAL = 29
#AGENT_SYNCHRONISATION = 30
#PACKED_ALIGN_RIGHT = 31
#PACKED_SIGN = 32
; ****************************************** SSE4
#PACKED_BLENDING_INSTRUCTION = 33
#PACKED_TEST = 34
; CONVERSION_INSTRUCTION -> Packed Integer Format Conversions et Dword Packing With Unsigned Saturation
; COMPARISON -> Packed Comparison SIMD Integer Instruction
; ARITHMETIC_INSTRUCTION -> Dword Multiply Instruction
; DATA_TRANSFER -> POPCNT
#PACKED_MINMAX = 35
#HORIZONTAL_SEARCH = 36
#PACKED_EQUALITY = 37
#STREAMING_LOAD = 38
#INSERTION_EXTRACTION = 39
#DOT_PRODUCT = 40
#SAD_INSTRUCTION = 41
#ACCELERATOR_INSTRUCTION = 42
#ROUND_INSTRUCTION = 43
; __________________________________________________________________________________________________________
;
; BranchTYPE
; __________________________________________________________________________________________________________
#Jo_ = 1
#Jno_ = -1
#Jc_ = 2
#Jnc_ = -2
#Je_ = 3
#Jne_ = -3
#Ja_ = 4
#Jna_ = -4
#Js_ = 5
#Jns_ = -5
#Jp_ = 6
#Jnp_ = -6
#Jl_ = 7
#Jnl_ = -7
#Jg_ = 8
#Jng_ = -8
#Jb_ = 9
#Jnb_ = -9
#Jecxz_ = 10
#JmpType = 11
#CallType = 12
#RetType = 13
; __________________________________________________________________________________________________________
;
; ARGUMENTS_TYPE
; __________________________________________________________________________________________________________
#NO_ARGUMENT = $10000000
#REGISTER_TYPE = $20000000
#MEMORY_TYPE = $40000000
#CONSTANT_TYPE = $80000000
#MMX_REG = $00010000
#GENERAL_REG = $00020000
#FPU_REG = $00040000
#SSE_REG = $00080000
#CR_REG = $00100000
#DR_REG = $00200000
#SPECIAL_REG = $00400000
#MEMORY_MANAGEMENT_REG = $00800000 ; GDTR (REG0), LDTR (REG1), IDTR (REG2), TR (REG3)
#SEGMENT_REG = $01000000 ; ES (REG0), CS (REG1), SS (REG2), DS (REG3), FS (REG4), GS (REG5)
#RELATIVE_ = $04000000
#ABSOLUTE_ = $08000000
#Read = 1
#WRITE = 2
; ************ Regs
#REG0 = 1 ; 30h
#REG1 = 2 ; 31h
#REG2 = 4 ; 32h
#REG3 = 8 ; 33h
#REG4 = $10 ; 34h
#REG5 = $20 ; 35h
#REG6 = $40 ; 36h
#REG7 = $80 ; 37h
#REG8 = $100; 38h
#REG9 = $200; 39h
#REG10 = $400 ; 3Ah
#REG11 = $800 ; 3Bh
#REG12 = $1000 ; 3Ch
#REG13 = $2000 ; 3Dh
#REG14 = $4000 ; 3Eh
#REG15 = $8000 ; 3Fh
; ************ SPECIAL_REG
#UNKNOWN_OPCODE = -1
#OUT_OF_BLOCK = 0
#NoTabulation = 0
#Tabulation = 1
#MasmSyntax = 0
#GoAsmSyntax = $100
#NasmSyntax = $200
#PrefixedNumeral = $10000
#SuffixedNumeral = 0
#ShowSegmentRegs = $01000000
;------- End Header
;------- Test-Program by Helle
#IMAGE_SIZEOF_SHORT_NAME = 8
Structure IMAGE_SECTION_HEADER
Name.b[#IMAGE_SIZEOF_SHORT_NAME]
StructureUnion
PhysicalAddress.l
VirtualSize.l
EndStructureUnion
VirtualAddress.l
SizeOfRawData.l
PointerToRawData.l
PointerToRelocations.l
PointerToLinenumbers.l
NumberOfRelocations.w
NumberOfLinenumbers.w
Characteristics.l
EndStructure
Global Dim ProcessesArray(#NbProcessesMax)
Global MBI.MEMORY_BASIC_INFORMATION
Global Buffer.l
Global Laenge.l
Global WindowID.l
Global Row.l
Global Column.l
Global GID.l
Global NeuWert.b
Global ProcessHandle.l
Global BaseAdr.l
Global EndAdr.l
Global AnfAdresse.l
Global Size.l
Global Status.l
Global MaxAdr.l
Global MinAdr.l
Global Eigner.l
Global Change.l
Global File$
Structure IMAGE_SECTION_HEADERS
ish.IMAGE_SECTION_HEADER[95]
EndStructure
EXCEPTION_MAXIMUM_PARAMETERS = 15
Global CrLf.s
CrLf=Chr(13)+Chr(10)
Global DebuggerVal.l
Global DebuggerEIP.l
Macro getinfo()
__except(detect(GetExceptionInformation()))
EndMacro
Procedure UnloadDebugger()
SetUnhandledExceptionFilter_(0) ;Debugger deaktivieren
EndProcedure
Global con.context
Global info.STARTUPINFO
info\cb =SizeOf(STARTUPINFO)
info\dwFlags =1
Global processinfo.PROCESS_INFORMATION
Global de.debug_event
Global ctde.create_thread_debug_info
Procedure.l RunProgramEx(filename.s)
Protected *idh.IMAGE_DOS_HEADER = lBuff
Protected *ish.IMAGE_SECTION_HEADERS
Protected pi.PROCESS_INFORMATION
Protected *inh.IMAGE_NT_HEADERS
Protected si.STARTUPINFO
Protected lpBaseAddres.l
Protected Ctx.CONTEXT
Protected Addr.l, RET.l, i.l
file$=filename.s
param$=""
If Left(param$,1)<>" " : param$=" "+param$ : EndIf
Info.STARTUPINFO : Info\cb=SizeOf(STARTUPINFO) : Info\dwFlags=1
Info\wShowWindow=showflag : ProcessInfo.PROCESS_INFORMATION
CreateProcess_(@file$,@param$,0,0,0,#DEBUG_PROCESS,0,@dir$,@Info,@ProcessInfo)
PiD=ProcessInfo\dwProcessId
EndThread:
LibKernel32 = OpenLibrary(#PB_Any,"Kernel32.dll")
#PROCESS_ALL_ACCESS_VISTA_WIN7 = $1FFFFF
Global iii
start=0
stt=0
restart:
If WaitForDebugEvent_(de.DEBUG_EVENT,#INFINITE)
CloseHandle_(hthreadh)
hThreadh = CallFunction(libkernel32,"OpenThread", #PROCESS_ALL_ACCESS_VISTA_WIN7, 0,de\DWthreadid)
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
dbgc=2
If de\dwDebugEventCode=#EXIT_PROCESS_DEBUG_EVENT
dbgc=1
CloseHandle_(hthreadh)
MessageRequester("","done")
Goto endit
EndIf
If De\dwdebugeventcode=#LOAD_DLL_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
enddll:
EndIf
If De\dwdebugeventcode=#OUTPUT_DEBUG_STRING_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwdebugeventcode=#RIP_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwdebugeventcode=#UNLOAD_DLL_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwdebugeventcode=#EXIT_PROCESS_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwdebugeventcode=#EXIT_THREAD_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwdebugeventcode=#CREATE_THREAD_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
Goto enditall
hthreadh2=de\u\createthread\hthread
ttt=OpenProcess_(#PROCESS_ALL_ACCESS,0,processinfo\dwprocessid)
DuplicateHandle_(ttt,hthreadh2,hthreadh,@hthreadh,0,0,#DUPLICATE_SAME_ACCESS)
createt=1
If createt=1
again:
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
dbgc=1
enditall2:
eap=de\u\createthread\lpstartaddress
Buffer = AllocateMemory(128)
ttt=0
text$=""
ttt=OpenProcess_(#PROCESS_ALL_ACCESS,0,de\dwprocessid)
ReadProcessMemory_(ttt, eap, Buffer, 128, 0)
CloseHandle_(ttt)
If ExamineAssembly(buffer, buffer+128)
While NextInstruction()
Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
Text$ + " " + InstructionString() + Chr(13)
Wend
EndIf
endit3:
MessageRequester("create thread exception start code of created thread","Real address start="+Hex(eap)+Chr(13)+text$)
FreeMemory(buffer)
Goto enditall2
Buffer = AllocateMemory(16)
ttt=0
text$=""
ttt=OpenProcess_(#PROCESS_ALL_ACCESS,0,processinfo\dwprocessid)
ReadProcessMemory_(ttt, eap, Buffer, 16, 0)
CloseHandle_(ttt)
If ExamineAssembly(buffer, buffer+16)
While NextInstruction()
Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
Text$ + " " + InstructionString() + Chr(13)
Wend
EndIf
Event = WindowEvent()
SetGadgetText(0,"CURRENT INSTRUCTION BELOW:"+Chr(13)+TEXT$)
FreeMemory(buffer)
Goto again
enditall:
EndIf
EndIf
If De\dwdebugeventcode=#CREATE_PROCESS_DEBUG_EVENT
dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
EndIf
If De\dwDebugEventCode=#EXCEPTION_DEBUG_EVENT
If De\u\Exception\ExceptionRecord\ExceptionCode=#EXCEPTION_BREAKPOINT
dbgc=1
hThreadh = CallFunction(libkernel32,"OpenThread", #PROCESS_ALL_ACCESS_VISTA_WIN7, 0,de\DWthreadid)
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
OR con\eflags,$100
Res=SetThreadContext_(hthreadh,@con)
dbgc=1
eap=de\u\exception\exceptionrecord\exceptionaddress
Buffer = AllocateMemory(128)
ttt=0
text$=""
ttt=OpenProcess_(#PROCESS_ALL_ACCESS,0,de\dwprocessid)
ReadProcessMemory_(ttt, eap, Buffer, 128, 0)
CloseHandle_(ttt)
If ExamineAssembly(buffer, buffer+128)
While NextInstruction()
Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
Text$ + " " + InstructionString() + Chr(13)
Wend
EndIf
FreeMemory(buffer)
EndIf
tt$=""
If de\u\exception\exceptionrecord\exceptioncode=#EXCEPTION_SINGLE_STEP
dbgc=1
tt$="Single step"
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
Res=SetThreadContext_(hthreadh,@con)
dbgc=1
If eap2=0
eap2=con\eip-1
EndIf
ep2=ep2+1
If ep2>1000
ep2=0
EndIf
If ep2<999 : Goto endsinglestep : EndIf
eep=0
If con\eip=eap2
Goto endsinglestep
EndIf
eap2=con\eip
eap=con\eip
Buffer = AllocateMemory(16)
ttt=0
text$=""
ttt=OpenProcess_(#PROCESS_ALL_ACCESS,0,de\dwprocessid)
ReadProcessMemory_(ttt, eap, Buffer, 16, 0)
CloseHandle_(ttt)
If ExamineAssembly(buffer, buffer+16)
While NextInstruction()
Text$ + RSet(Hex(InstructionAddress()), SizeOf(Integer)*2, "0")
Text$ + " " + InstructionString() + Chr(13)
Wend
EndIf
Event = WindowEvent()
If event=#PB_Event_CloseWindow
CloseHandle_(hthreadh)
FreeMemory(buffer)
Goto exitprog
EndIf
text$+Chr(13)+"You might need to attempt mouse movements or clicks on the disassembled while executed program if disassembly stops."
SetGadgetText(0,"CURRENT INSTRUCTION BELOW: # of instuctions executed = "+Str(eddx)+Chr(13)+TEXT$)
FreeMemory(buffer)
endsinglestep:
EndIf
ahead2:
EndIf
asm$=""
baseadr=de\u\exception\exceptionrecord\exceptionaddress
endadr=baseadr+4096
Laenge = (EndAdr - BaseAdr)
If dbgc=1
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
rerun:
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
;eddx=eddx+1
Res=SetThreadContext_(hthreadh,@con)
EndIf
eddx=eddx+1
;dbgc=1
;'dbgc=1
If dbgc=1
res=ContinueDebugEvent_(de\dwprocessid,de\dwthreadid,#DBG_CONTINUE)
EndIf
If dbgc=2
res=ContinueDebugEvent_(de\dwprocessid,de\dwthreadid,#DBG_EXCEPTION_NOT_HANDLED);
EndIf
EndIf
JMP l_restart
exitdone:
CloseHandle_(processinfo\hthread)
endit:
EndProcedure
Pattern$ = "PE EXE (*.exe)|*.exe;*.exe"
Pattern = 0 ; use the first of the three possible patterns as standard
fFile$ = OpenFileRequester("Please choose file to load", "testprogram.exe", Pattern$, Pattern)
If ffile$=""
Goto exitprog
EndIf
OpenWindow(0, 0, 0, 640, 480, ffile$+" DISASSEMBLY While EXECUTION", #PB_Window_SystemMenu | #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget)
SetWindowColor(0,RGB($00,$00,$00))
TextGadget(0, 0, 0, 640, 480, "")
SetGadgetColor(0,#PB_Gadget_FrontColor,RGB($ff,$ff,$99))
SetGadgetColor(0,#PB_Gadget_BackColor,RGB($00f,$00,$00))
startit:
RunProgramEx(ffile$)
exitprog:
Re: Debugger disassembly while executing EXE(Windows)
What is a script kiddy?
Re: Debugger disassembly while executing EXE(Windows)
I looked up script kiddy I wrote that source code studying windows debugging all by myself because I was going to build a debugger. script kiddys are people into hacking on the net by definition 
Re: Debugger disassembly while executing EXE(Windows)
Well, it's just his signature. Every post of Rings has this text at the end (until he changes it to something else).goldbaby wrote:What is a script kiddy?
If any of you native English speakers have any suggestions for the above text, please let me know (via PM). Thanks!
Re: Debugger disassembly while executing EXE(Windows)
code is excellent loads the program up pretty quick but doesnt work 100% for all 32 bit windows sotware, some programs have debugger detection etc........ I wrote this code here because I was building a debugger thought anyone that was building one would definately want my source code..... use the cleaned up copy of code works like a charm......... I would love to see any feed back about what you guys think of my dissassembler while execution of win32 appliction that I wrote in purebasic...... it took me a little while studying the windows debugging API to write it......